autofocus: a tool for automatic traffic analysis

AutoFocus: A Tool for AutoFocus: A Tool for Automatic Traffic AnalysisAutomatic Traffic Analysis

Cristian Estan,

University of California, San Diego

October 2003 AutoFocus - NANOG 29 2

Who is using my link?Who is using my link?


Informal problem definitionInformal problem definition

Gigabytes of measurement

data

Analysis Traffic reports

Applications:

50% of traffic is Kazaa

Sources:

20% is from Steve’s PC


Informal problem definitionInformal problem definition

Gigabytes of measurement

data

20% is Kazaa from Steve’s PC

50% is Kazaa from network A

Analysis Traffic reports


AutoFocus: system structureAutoFocus: system structure

Trafficparser

Web basedGUI

Trafficanalyzer

Grapher

(sampled) NetFlow data or Packet header traces

categories

names


System detailsSystem details

Availability Downloadable Free for educational, research and non-profit use

Requirements Linux or BSD (might run on other Unix OSes) 256 Megs of RAM at least 1-10 gigabytes of hard disk (depends on traffic) Recent Netscape, Mozilla or I.E. (Javascript) Needs no web server – no server side scripting


Traffic analysis approachTraffic analysis approach

Characterize traffic mix by describing all important traffic clusters

Multi-field clusters (e.g. flash crowd described by protocol, port number and IP address)

At the the right level of granularity (e.g. computer, proper prefix length)

Analysis is automated – finds insightful data without human guidance


Traffic clusters: exampleTraffic clusters: example

Incoming web traffic for CS Dept. SrcIP=*, DestIP in 132.239.64.0/21, Proto=TCP, SrcPort=80, DestPort in [1024,65535]


Traffic reports automatically list significant traffic clusters

Describe only clusters above threshold (e.g. T=total of traffic/20)

Compression removes redundant clusters whose traffic can be inferred from more specific clusters

Traffic reportTraffic report


Automatic cluster selectionAutomatic cluster selection

10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.8 10.0.0.9 10.0.0.10 10.0.0.14

15 35 30 40 160 110 35 75

10.0.0.2/31 10.0.0.4/3150 10.0.0.8/31 10.0.0.10/31

70 270 35 75

10.0.0.0/30 10.0.0.4/30 10.0.0.8/30 7530550 70

10.0.0.0/29 10.0.0.8/29120 380

10.0.0.0/28 500

10.0.0.14/31

10.0.0.12/30



10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.8 10.0.0.9 10.0.0.10 10.0.0.14

15 35 30 40 160 110 35 75

10.0.0.2/31 10.0.0.4/3150 10.0.0.8/31 10.0.0.10/31

70 270 35 75

10.0.0.0/30 10.0.0.4/30 10.0.0.8/30 7530550 70

10.0.0.0/29 10.0.0.8/29120 380

10.0.0.0/28 500500

120 380

305

270

160 110

Threshold=100

10.0.0.14/31

10.0.0.12/30


270

120

500

305

380

160 110


10.0.0.8 10.0.0.9

10.0.0.0/29 10.0.0.8/29

10.0.0.8/31

10.0.0.8/30

10.0.0.0/28

120 380

160 110

Compression keeps interesting clusters by removing those that can be inferred from more specific

ones

305-270<100

380-270≥100


Single field report exampleSingle field report example

Source IP Traffic

pkts.

10.0.0.0/29 120

10.0.0.8/29 380

10.0.0.8 160

10.0.0.9 110

AutoFocus has both single field and

multi-field traffic reports


Graphical user interfaceGraphical user interface

Web based interface Many pre-computed traffic reports Interactive drill-down Traffic categories defined by user


Traffic reports for weeks, days, three

hour intervals and half hour

intervals


Traffic reports measure traffic

in bytes, packets and flows, have

various thresholds


Single field report


Colors – user defined traffic categories

Separate reports for each category


The filter and threshold allow

interactive drill-down


Case study : SD-NAPCase study : SD-NAP

Structure of regular traffic mix Backups from CAIDA to tape server

FTP from SLAC Stanford

Scripps web traffic

Web & Squid servers

Large ssh traffic

Steady ICMP probing from CAIDA

Unexpected events


Backups from CAIDA to tape server

Structure of regular traffic mixStructure of regular traffic mix

SD-NAP


Backups from CAIDA to tape server

Semi-regular time pattern


SD-NAP


Steady ICMP probing from CAIDA


SD-NAP

The flow view highlights

different traffic clusters


Analysis of unusual eventsAnalysis of unusual events

Sapphire/SQL Slammer worm Find worm port & proto automatically


Analysis of unusual eventsAnalysis of unusual events

Sapphire/SQL Slammer worm Can identify infected hosts


How can AutoFocus help you?How can AutoFocus help you?

Understand your regular traffic mix better

Better planning of network growth

Better traffic policing

Understand unusual events

More effective reactions to worms, DoS attacks

Notice effects of route changes on traffic


Benefits w.r.t. existing toolsBenefits w.r.t. existing tools

Multi-field aggregation Automatically finds right granularity Drill-down

Per category reports Using filter


Thank you!Thank you!

Beta version of AutoFocus downloadable from

http://ial.ucsd.edu/AutoFocus/

Any questions?

Acknowledgements: Stefan Savage, George Varghese, Vern Paxson, David Moore, Liliana Estan, Mike Hunter, Pat Wilson, Jennifer Rexford, K Claffy, Alex Snoeren, Geoff Voelker, NIST,NSF

http://ial.ucsd.edu/AutoFocus/


Definition: unexpectednessDefinition: unexpectedness

To highlight non-obvious traffic clusters by using unexpectedness label 50% of all traffic is web Prefix B receives 20% of all traffic The web traffic received by prefix B is 15%

instead of 50%*20%=10%, unexpectedness label is 15%/10%=150%

autofocus: a tool for automatic traffic analysis

Documents

traffic reporttraffic

exampleincoming web

regular traffic mixsteady

redundant clusters

interesting clusters

web server

usertraffic reports

human guidancetraffic